CyberWire Daily - Million-dollar hacks and a manhunt.
Episode Date: January 20, 2026Authorities pursue Black Basta. British authorities launch a new national service to fight fraud and cybercrime. LinkedIn private messages get infected with RATs. Researchers uncover a new malicious e...xtension that intentionally crashes the browser. Ingram Micro discloses a ransomware-related data breach. A Jordanian man pleads guilty to selling stolen access to corporate networks. Business Breakdown. Tim Starks from CyberScoop discusses Sean Plankey's renomination to lead CISA. Grave oversight in the funeral biz. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Today we are joined by Tim Starks from CyberScoop as he is discussing Sean Plankey's renomination to lead CISA. You can use Tim’s take on it here. Selected Reading Police raid homes of alleged Black Basta hackers, hunt suspected Russian ringleader (The Record) UK launches landmark 'Report Fraud' service to tackle cybercrime and fraud (The Record) Linkedin Phishing Campaign Exploits Open-Source Pen Testing Tool to Compromise Business Execs (Infosecurity Magazine) Fake ad blocker extension crashes the browser for ClickFix attacks (Bleeping Computer) Ingram Micro reveals ransomware attack hit 42,000 people - here's how to find out more (TechRadar) Jordanian Man Pleads Fake ad blocker extension crashes the browser for ClickFix attacksGuilty to Selling Stolen Logins for 50 Companies (Hackread) CrowdStrike agrees to acquire SGNL for $740 million and Seraphic for $420 million. (N2K Pro) Exclusive: Funeral Industry Faces Security Gaps as Top Firms Lack Key Certifications (The Chosun Daily) Share your feedback. What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show. Want to hear your company in the show? N2K CyberWire helps you reach the industry’s most influential leaders and operators, while building visibility, authority, and connectivity across the cybersecurity community. Learn more at sponsor.thecyberwire.com. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyberwire Network, powered by N2K.
Most security conferences talk about Zero Trust.
Zero Trust World puts you inside.
This is a hands-on cybersecurity event designed for practitioners who want real skills, not just theory.
You'll take part in live hacking labs where you'll attack real environments, see how modern threats actually work, and learn how to stop them before they turn into incidents.
But Zero Trust World is more than labs.
You'll also experience expert-led sessions, practical case studies, and technical deep dives focused on real-world implementation.
Whether your blue team, red team, or responsible for securing an entire organization, the content is built to be immediately useful.
You'll earn CPE credits, connect with peers across the industry, and leave with strategies you can put into action right away.
Join us March 4th through the 6th in Orlando, Florida.
Register now at ZTW.com and take your zero-trust strategy from theory to execution.
Authorities pursue blackbasta.
British authorities launch a new national service to fight fraud and cybercrime.
LinkedIn private messages get infected with rats.
PDF cider is a stealthy back door targeting Fortune 100 companies.
Researchers uncover a new malicious extension that intentionally crashes the browser.
Ingram Micro discloses a ransomware related data breach.
A Jordanian man pleads guilty to selling stolen access to corporate networks.
We got our business breakdown.
Tim Starks from CyberScoop discusses Sean Planky's renomination to lead Sisa.
And grave oversight in the funeral biz.
It's Tuesday, January 20th, 20, 26.
I'm Dave Bittner, and this is your Cyberwire Intel briefing.
Thanks for joining us here today. It's great to have you with us, as always.
Ukrainian and German authorities have identified two Ukrainian nationals suspected of working
for the Russia-linked ransomware group Black Basta and have placed the group's alleged Russian leader
on an international wanted list. Officials say Black Basta has operated since at least 2022,
extorting hundreds of organizations worldwide and causing hundreds of millions of dollars
and damage. The two suspects operating from Western Ukraine allegedly focused on breaching networks
and cracking stolen password hashes to enable ransomware attacks. Investigators seized digital
devices and cryptocurrency during searches and analysis is ongoing. Germany identified the suspected
ringleader as 36-year-old Russian national Oleg Nefadov, accused of leading the group's operations
and ransom negotiations.
Authorities believe he is in Russia.
Leaked internal chats,
previously exposed BlackBasta's structure
and possible ties to the Conti and Ryuk ransomware networks.
British authorities have formally launched report fraud,
a new national service designed to transform
how victims of fraud and cybercrime report incidents
and how police act on that information.
led by the City of London Police, the system replaces action fraud, which faced years of criticism for poor outcomes and lack of victim feedback.
Report fraud provides a single national reporting portal, promises follow-up updates when reports contribute to investigations, and uses real-time analytics to generate actionable intelligence.
Officials say fraud now accounts for roughly half of all recorded crime in the U.K.
the economy billions annually. A national awareness campaign aims to drive reporting at scale,
while new analytics and closer cooperation with technology and telecoms firms are expected to help
disrupt criminal operations more effectively. A fishing campaign delivering malware through private
messages on LinkedIn is abusing legitimate open-source tools to infect victims with a remote-access
Trojan, according to researchers at ReliaQuest.
Analysts say the operation targets high-value individuals, including executives and IT administrators,
using industry-themed lures to build trust.
Victims receive a malicious link leading to a WynRAR self-extracting archive that installs a
legitimate PDF reader alongside a disguised malicious DLL.
That DLL is loaded through DLL side loading, helping the malware evade detection.
Attackers then use an open-source penetration testing tool to maintain persistence, steal data,
escalate privileges, and move laterally.
RelyaQuest warns the campaign highlights how social media remains an overlooked attack surface
and urges organizations to apply email-level scrutiny, training, and controls to platforms like
LinkedIn.
A malvertising campaign has been caught distributing a fake browser extension called Next
Shield, posing as a privacy-focused ad blocker for Chrome and Edge to deliver malware
through a new click-fix variant dubbed Crash Fix.
Researchers at Huntress say the extension deliberately crashes the browser by exhausting system
resources, creating a real denial of service condition.
When users restart their browser, Next Shield displays a fake security warning that instructs them to run copied commands in Windows command prompt.
That action triggers a PowerShell-based infection chain.
In corporate domain-joined environments, the attack deploys Modelo Rat, a Python-based remote access tool capable of reconnaissance, command execution, persistence, and payload delivery.
Huntress attributes the activity to a threat actor known as,
Kong-Took and warns the campaign signals growing interest in enterprise networks.
IT distributor Ingram Micro disclosed a ransomware-related data breach,
affecting over 42,000 individuals after detecting a cyber intrusion in early July of last year.
The company said attackers accessed internal file repositories and stole employment and applicant
records containing personal and government-issued identification data.
micro notified authorities, alerted, affected individuals, and offered two years of credit monitoring.
While the company did not name the attackers, the ransomware group SafePay later claimed responsibility,
alleging it stole 3.5 terabytes of data, claims that remain unverified.
A Jordanian national has pleaded guilty in U.S. federal court to selling stolen access to corporate networks,
underscoring the central role access brokers play in cybercrime operations.
The Department of Justice said Farras Khali Ahmad Abashiti, also known as Riz, admitted selling
unauthorized login credentials tied to at least 50 victim organizations while operating from Georgia.
According to prosecutors, Al-Bashiti stole the credentials for cryptocurrency on a cybercrime forum in May 23.
The buyer was an undercover law enforcement officer.
Investigators say the access provided direct entry into compromised corporate systems
and exceeded the legal value threshold under federal fraud statutes.
The case was led by the FBI with extradition support coordinated by the Department of Justice.
Sentencing is scheduled for May 26.
Turning to our business breakdown, we are highlighting over $350 million.
raised across seven investments alongside five acquisitions.
On the investment front, Israeli AI security operations company TORC raised $140 million in a series D round.
Now being valued at $1.2 billion, TORC plans to use these new funds to continue expanding the capabilities of its SOC platform and grow its market presence.
Additional NoVe emerged from stealth after raising 51.1.5.5.5.5.5.
$3 million across three funding rounds. After raising $8.5 million in a seed round in May of last year,
$33 million in a series A round in September, and $10 million in debt financing in December,
the Israeli offensive security company is looking to scale AI penetration testing.
For acquisitions, CrowdStrike completed two separate acquisitions for a total of $1.1 billion.
With these moves, CrowdStrike has acquired,
both Xerafik an Israeli browser runtime security provider and Signal, a U.S.-based IAM provider.
CrowdStrike intends to use both acquisitions to further support its Falcon platform by incorporating new AI and next-gen capabilities.
That wraps up this week's business breakdown.
For deeper analysis on major business moves shaping the cybersecurity landscape,
subscribe to N2K Pro, and check out the cyberwire.com.
every Wednesday for the latest updates.
Coming up after the break,
Tim Starks from CyberScoop discusses
Sean Planky's renomination
to lead Sissa, and there's
grave oversight in the
funeral biz.
Think around.
Ever wished you could rebuild your network
from scratch to make it more secure,
scalable, and simple?
Meet Meeter, the company
reimagining enterprise networking
from the ground up. Meeter
builds full-stack zero-trust networks, including hardware, firmware, and software, all designed to work
seamlessly together. The result? Fast, reliable, and secure connectivity without the constant patching,
vendor-juggling, or hidden costs. From wired and wireless to routing, switching, firewalls,
DNS security, and VPN, every layer is integrated and continuously protected in one unified platform.
And since it's delivered as one predictable monthly service, you skip the heavy capital costs and endless upgrade cycles.
Meter even buys back your old infrastructure to make switching effortless.
Transform complexity into simplicity and give your team time to focus on what really matters, helping your business and customers thrive.
Learn more and book your demo at meter.com slash cyberwire.
That's M-E-T-E-R.com slash cyberwire.
What's your 2-A-M security worry?
Is it, do I have the right controls in place?
Maybe are my vendors secure?
Or the one that really keeps you up at night,
how do I get out from under these old tools and manual processes?
That's where Vanta comes in.
Vanta automates the manual work,
so you can stop sweating over spreadsheets,
chasing audit evidence,
and filling out endless questionnaires.
Their trust management platform continuously monitors your systems,
centralizes your data, and simplifies your security at scale.
And it fits right into your workflows,
using AI to streamline evidence collection, flag risks,
and keep your program audit ready all the time.
With Vanta, you get everything you need to move faster, scale confidently,
and finally get back to sleep.
Get started at Vanta.com slash cyber.
That's V-A-N-T-E-N-T-E-E-R.
p.com slash cyber.
Tim Starks is senior reporter at CyberScoop, and it is always my pleasure to welcome back to the show.
Tim, hello there, sir.
Hello there, sir.
So, first of all, happy new year.
Welcome to 2026 in all of its glory.
It's amazing so far, right?
Right, right.
I want to start off with, I guess what I can only describe as a surprising story to me,
which is that Sean Planky is back in the mix to Head Sissa.
You reported on this.
What's going on here, Tim?
It's a little surprising to me, too,
because pretty much his nomination was left for dead
by basically everybody I knew.
Yeah.
So it's a little confusing.
It's a little mystifying where this leads us next.
But the White House has said to me
that they are committed to him.
obviously renominating him suggests that that's the case.
It does leave a pretty big question about how in the world does he get this job with what had been going on in the Senate?
Mm-hmm.
And, well, I mean, let's recap here.
My understanding is that his nomination getting struck down, let's say, wasn't so much about him but about senators holding it up for other reasons.
Is that an accurate description?
It's mostly accurate.
I think to the extent that in one of the cases, the North Carolina Senate delegation, both Republicans, by the way, all Republicans holding them up for the most part, there are Democrats, there's a Democrat that's holding up for another reason, but that seems less important right now.
the Republicans from North Carolina are holding them up over disaster.
They're holding up all DHS nominees.
They're saying that they need Christian Nome to come testify to Senate Judiciary.
That's an example.
I think the bigger one that everyone had identified for me is that Rick Scott, Senator Rick Scott from Florida,
also a Republican, had held up his nomination over Coast Guard contract for a contractor in his state.
They got parcel canceled, worth many millions of dollars.
And that doesn't seem to be tractable right now.
Is that a right word?
because it's intractable.
Yeah.
It doesn't seem tractable right now.
And I guess the reason that he's connected to that in any way to perform is that he's been
serving as a special advisor to the Coast Guard.
Sean Planky is an old coasty.
So that is a connection, the work he has been doing.
But this was Christy Nome's decision, you know, not his.
So how much can you blame him for it?
I don't know.
So it's less, it's not exactly unconnected, but it's not very connected.
but it's not very connected either.
Yeah.
What kind of timeline do you suppose we're on here
for this going one way or another?
I mean, that's a really good question, Dave.
You know, I, one of my colleagues, you know,
with our story, we caught up with Sean Planky,
who was out in an event.
He was representing the Ghost Guard for an event.
And we caught up to him, and he,
we asked him what, you know,
what are you going to do to lift these holes
to convince senators to support you?
and Sean's response was kind of like
not up to me, it's up to the White House.
If the White House shows that they're invested,
then I can probably move forward.
So it seems like he's at his wits end,
or at least it sounded that way to us,
about what can happen,
what might happen next with him,
and that it's out of his control is the way he seems to feel.
Yeah.
Well, I mean, you think of the White House
renominates him,
then they're certainly
literally doubling down
on their belief in him.
Right.
Yeah.
And, you know,
the president's hold on
the Republican Party
has been pretty remarkable
even by the standards
of what we expected it
to be coming in, I think.
And so it's surprising
in the sense that,
you know,
here we have multiple Republicans
holding up a nomination.
and I'm of the mind maybe that if they did want to exert some more pressure, they could and would,
but maybe they decided not to spend their political capital on this.
But, you know, why renominate him if you're not going to do everything again to get him through?
Right, right.
Well, shifting gears here, you had a story just a few days ago about some software that Sisa was offering
that had its own vulnerabilities.
What's going on with this one, Tim?
Yeah, this was an interesting one.
There was a researcher who found a vulnerability that was in a rather, do I want to say ironic place?
It was a high-profile place.
Yeah, there was a tool that Sessa has on its website that helps government agency folk purchase secure software.
Or when you go to the website and poke around on there, as this researcher did, that website, that website,
That tool itself had a vulnerability.
Cross-site scripting, it's called,
and XSS is what a lot of people call it.
The vulnerability might have allowed the people
who would have planted an attack on that site to attack others.
It might have led to the website being defaced.
The other thing that stands out about this,
beyond the irony, if you will,
is the fact that this researcher told me,
his name is Jeff Williams.
He told me that this was something that could have been fixed in five minutes
and that it demonstrated that they had really nobody doing the kind of work they need to be doing
just sort of basic website stuff that is pretty easy to fix.
They had nobody really doing that.
And that it took months for them to fix it.
It took from September to December for it to get fixed.
Any word from Sissa as to why it took so long?
Yeah, they didn't say why it took so long.
I mean, I think he had a good answer, at least on part of this.
Jeff Williams did about the fact that that September time frame, that's when the government
was about to shut down.
So that makes a certain amount of sense.
Although, you know, he said this probably could have been a five-minute fix.
I mean, there was a, they have a bug bounty program.
There's a bug bounty program through Bug Crowd.
Bug Crowd says this wasn't a critical enough vulnerability for them to pay out over it.
And then, you know, once he got the attention of Sessa, maybe they just decided it was low
priority, but once the shutdown happened, well, all bets were off.
I mean, Sista did tell me that they appreciated the research your contact them.
They got it fixed.
That actually helped them fix and be aware for some other risks,
and that this was an example of the process working, essentially.
Okay.
All as well that ends well, right?
Everything's perfect.
As we know, all is well, and it's going to stay well.
There you go.
All right.
Tim Starks, is senior reporter at CyberScoop.
Tim, thanks so much for joining us.
Thank you, Dan.
When it comes to mobile,
application security, good enough, is a risk. A recent survey shows that 72% of organizations
reported at least one mobile application security incident last year, and 92% of responders reported
threat levels have increased in the past two years. Guard Square delivers the highest level of
security for your mobile apps without compromising performance, time to market, or user experience.
Discover how Guard Square provides industry-leading security for your Android and iOS apps at www.gardsquare.com.
And finally, in Korea, eight affiliates of the Kyo-wan Group are now under government investigation after a ransomware attack reminded everyone that even the funeral business is not immune to cybercrime.
The incident exposed a quieter problem.
The funeral industry's security posture appears to be built more on tradition than on modern safeguards.
Data from the Korea Internet and Security Agency shows that none of the country's top funeral service providers
have obtained the government's information security management system certification,
not because they failed, but because they're not required to try.
Funeral companies sit in a regulatory gap, handling data on nearly 10 million subscribers
and trillions in prepaid funds, while remaining outside rules applied to banks, platforms,
or e-commerce firms.
Experts say ransomware groups favor exactly this combination,
steady cash flow, sensitive data, and thin defenses.
Lawmakers now argue it may be time for the industry to plan not just for final arrangements,
but for basic cybersecurity hygiene, too.
And that's the Cyberwire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity.
If you like our show, please share a rating and review in your favorite podcast app.
Please also fill out the survey and the show notes or send an email to Cyberwire at n2K.com.
N2K's senior producer is Alice Carruth.
Our Cyberwire producer is Liz Stokes.
We're mixed by Trey Hester with original music by Elliot Peltzman.
Our executive producer is Jennifer Ibin.
Peter Kilpe is our publisher, and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow.
If you only attend one cybersecurity conference this year, make it RASAC 2026.
It's happening March 23rd through the 26th in San Francisco,
bringing together the global security community for four days,
of expert insights, hands-on learning, and real innovation.
I'll say this plainly, I never miss this conference.
The ideas and conversations stay with me all year.
Join thousands of practitioners and leaders
tackling today's toughest challenges
and shaping what comes next.
Register today at rsaconference.com slash cyberwire 26.
I'll see you in San Francisco.